09 Mar Rinki Sethi Leads The Cybersecurity Charge At Twitter
CISO had a hacker mindset as a young girl in Cupertino, California
– Di Freeze, Managing Editor
Northport, N.Y. – Mar. 9, 2021
Rinki Sethi, presently Twitter’s VP and CISO, doesn’t fit the typical “cybersecurity person” mold. She laughs when recalling the 2016 Ignite Conference she attended as Palo Alto Networks’ senior director of Information Security. During a general session, Anthony Zuiker, the creator of “CSI: Cyber,” apologized for the way he depicted the character of cyber expert Avery Ryan.
“He said he was really proud that he created the show and brought a lot of awareness to cybersecurity, but he was apologizing that he had portrayed the main character, played by Patricia Arquette, as running around in high heels while solving incidents,” she said. “All my peers sitting near me looked back at me, and I was like, ‘That’s me!’ I had my hand raised because I wanted to tell him not to apologize for that. I wanted to thank him for glamorizing it. I thought it was incredible. Every girl is different. Having a different portrayal of the security industry and the professionals in it was amazing.”
If you had asked Sethi 20 years ago when she started her career in cybersecurity if she could see herself as a chief information security officer, her answer would have been “no, because there were so few women in the field then.” And what if you had asked her, “Would you ever see yourself dealing with incidents?”
“No,” she said. “I was told that wasn’t a good job for a woman because if you want to have a family and kids, you don’t want to have a job where you might be on call 24/7.”
Like Avery Ryan, Sethi said she finally took a role later in her career where she was “dealing with incidents and running around in high heels.”
“Boy, did I love it!” she said. “That to me is women in cyber! It can be anybody, and I want more girls to see that you can be who you are and be in cybersecurity. It’s not necessarily the guy in the hoodie there hacking on a computer. That stereotype is no longer true. I’m another cybersecurity geek, but with a different face than what the norm is. Hopefully, the norm changes drastically over the next decade.”
So just how did Sethi end up at Twitter as VP and CISO? You could say that journey began long ago, in Cupertino, California, when Sethi was a young girl in the charge of her strict Indian parents.
Cybercrime Radio: Rinki Sethi, VP & CISO at Twitter
She used to build her own computers
“My parents were immigrants from India,” she said. “My dad grew up really poor. He received a full scholarship from the prime minister. Education was core to everything in our household. He was also into new technology. I remember computers being around from the time I was born. As soon as they were good enough for us to start playing with, we had access to computer games.”
She recalled having a computer to do her schoolwork on in junior high and high school.
“I would build my own computers too,” she said. “Just throw an operating system on there.”
That computer know-how came in handy when Rinki suspected her father was spying on her computer activities.
“He was having a dialog with my mom one day and I overheard him say something that I had typed in a chat to a friend,” she said. “At first, I thought maybe he logged into my computer and I had the chat screen open, but I wanted to be ultra-sure, so I went and started looking at all the software that was installed on my machine. I saw something I didn’t recognize.”
Realizing that he had put a keylogger on the computer, Sethi quickly uninstalled it.
“At that time, it wasn’t known as a keylogger,” she said. “It was a parent’s tool to track their kids and see who they were chatting with and what they were saying online. He wanted to see if I was chatting with boys. I told my sister that I found it and that she probably had it on her computer too. After I uninstalled it, he reinstalled it a few days later and I found it again. Eventually, I just built a program off of some code I found on the internet that would notify me any time that application was installed again.”
Sethi laughs and says she thinks she always had that “kind of hacker mindset.”
“How do you break into things?” she said. “It was always in my head. That was kind of what sparked my interest.”
When it came time to decide her career, and where she would go to college, Sethi, who was taking a business law class in school, told her father she wanted to be a lawyer.
“He told me, ‘That’s the second degree you would get. What’s your first degree, because I would prefer you go into engineering or do something in the medical field. If you’re going to do a law degree and you want to do something other than engineering, I prefer you go to a community college.’ I wanted to get as far away from home as I could. I was good with computers, and I was really good with math, so I decided to go into computer science engineering.”
While in college at University of California, Davis, Sethi thought she’d be a developer or perhaps a database engineer.
“Something like that, mostly because of the jobs I had held while I was in college, which had to do with that kind of work,” she said. “I graduated during the dot-com bust, and there weren’t many jobs out there at the time.”
When Pacific Gas and Electric recruited one of her friends, she asked Sethi to tag along.
“She said, ‘Rinki, there’s free pizza.’ At least you’ll get dinner out of it.’”
Sethi ended up chatting with one of the hiring managers from PG&E after the session was over.
“He asked me, ‘What’s your favorite class?’ I answered cryptography. He responded with, ‘That’s interesting. Not a lot of computer science students say cryptography as their favorite subject.’ I shared with him why I liked it and how fascinating I found it. It was so different than the programming work that we normally did. He said, ‘We actually have a job open for information protection and I’d love to interview you for it tomorrow.’”
Sethi got the job as an information security specialist. It was her introduction to cybersecurity, but she really got passionate about the field when Walmart.com hired her two years later as a security engineer.
“Walmart.com was a wholly-owned subsidiary of Walmart at the time,” she said. “There were somewhere between 400 and 600 employees. I was one of two people on a security team building the whole security program from scratch.”
Walmart.com had hired Sethi because they needed to do a PCI audit and needed someone with experience on the policy and auditing side.
“That’s not what my passion was, but that’s the expertise I brought at that point,” she said. “They needed to start building out policies and to have training for developers. I was a developer at heart. I realized I could really teach developers about security and get them to care about it. How do you drive security culture change within a company and build that into its DNA? I learned that was my passion in that role.”
Sethi recalled having a great manager. Later, another person joined the team.
“They basically took me under their wings and taught me what I needed to know about cybersecurity,” she said. “They walked me into a server room, showed me what it looked like, and taught me how to do vulnerability scans, how to take down phishing sites, and how to do a penetration test.”
Sethi had her first child while she was with Walmart.com. A desire to work nearer to home and to do something closer to what she loved to do prompted her to leave Walmart.com and join eBay.
“They had undergone some big spear-phishing attacks,” she said. “They needed to start driving more awareness and culture change in the company, train employees to not fall victims to attacks like that.”
One of the things they did early on was roll out a phishing testing program.
“That was very new to non-banking companies,” she said. “We also built a security champions community. Very few companies were already doing that.”
Sethi was with eBay for three and a half years before she felt it was time to move on again, this time to Intuit. One of the reasons was the birth of her second child.
“I had built a really good team that was doing well operationally,” she said, “and I was itching for my next challenge.”
Intuit hired her as an information security officer for two of their business units. She joined Intuit when they were going into public cloud and moving data from TurboTax into AWS.
“They were looking to do a complete transformation,” she said. “Four to six months after I got there, I was asked to take on product security and transform that as well as the role that I was already playing, so I jumped into a completely different aspect of security. That was an interesting time at a financial company that was really leading the way on what you could do in public cloud with sensitive data.”
When an opportunity to become VP of Information Security at Palo Alto Networks came up, Sethi couldn’t resist the challenge.
“It was another career change because I moved from product security to security operations, leading the buildout of incident response and threat management,” she said. “It was doing everything from building out a physical security operations center to 24/7 incident response to building out a team of hackers, red teamers, that were attacking our infrastructure and finding issues before the bad guys — or bad girls — did, and then running security culture as well.”
After three years with Palo Alto Networks, Rinki left to take the role of VP of Information Security at IBM.
“I was drawn by the number of systems and endpoints and employees that you have to protect,” she said. “Building security at scale like that really fascinated me.”
A few months into that role, Sethi admits to thinking she had made a “career mistake.”
“Things didn’t move at a pace that I was used to working for Bay Area companies,” she said. “Making an impact meant spending maybe the next ten, fifteen years of my career there. I felt that I couldn’t thrive at that pace. I decided I would stay about a year and then maybe start looking again.”
After about four months with IBM, however, someone told Sethi about an opportunity at Rubrik and said she’d be a great fit as CISO.
“Rubrik had just suffered a public breach and needed to build out a really strong security program,” she said. “I was fascinated by their story in terms of being that unicorn startup. The growth that they had seen was tremendous.”
As VP and CISO, Sethi built the security program, hired a team, and was helping Rubrik with its IPO when COVID-19 entered the picture.
“When you’re ramping up to go public, you really have to ramp up your plans on security,” she said. “When that slows down, the security challenges slow down. I was at home, and I started feeling like I had a lot more time on my hands. I wasn’t in a rush to leave, but I was starting to say, if something new pops up that really intrigues me, I’m probably going to take the leap.”
In 2020, an executive search firm reached out to Sethi regarding a few roles that didn’t interest her. Then they mentioned that Twitter had been searching for a CISO. That did interest her, and she joined Twitter in September.
“They had just had their breach and they were really investing in making sure that security was the number one priority within the company,” she said. “The other thing that really sparked my interest was Twitter was really trying to protect the public conversation. They were making some bold decisions, and I wanted to be a part of that journey and to help Twitter be at the forefront in how they’re thinking about security and protection internally. They’ve had some very unique challenges and interesting attacks that we hadn’t seen before. It sparked some interesting conversations, like what do we need to do to change in protecting the public conversation and making sure that people are getting the right information.”
Twitter had already started focusing on decentralization and moving to a global workforce outside of where they had offices prior to COVID-19. That made Sethi’s hiring experience a little different than in the past.
“I completely virtually interviewed, virtually onboarded, and have not met a single person that I work with at Twitter yet. I can’t wait for the offices to open so I can, but it’s been fully remote, and it’s worked,” she said.
Sethi said that many other companies have used Twitter as a role model in how they set up remote workforce, secured it and still kept a strong sense of culture.
When it comes to protection, Sethi has other concerns, like how to protect her 12-year-old daughter and 8-year-old son from online hazards.
“You would think because I’m a cybersecurity professional that I was a great adviser for my kids, but that was not the case,” she said. “One day my daughter was playing a game on her iPad and the game had an automated text message that said, ‘Would you like to buy more coins?’ She texted back, ‘I’ll ask my dad when he wakes up.’ It was actually one-way text messaging, but it made me realize that could have been some bad person messaging. It put a real fear in me that I need to teach my kids and I need to teach others too and teach other parents. I couldn’t believe that as a cybersecurity practitioner I had not paid attention and not taught my child about that.”
Besides making sure her kids were properly trained, she had a part in making sure that other children were as well.
“When I was at Palo Alto Networks, we had a lot of opportunities to engage with communities to train them on security,” she said. “We partnered with the Girl Scouts to launch the first cybersecurity badge. I helped with building the curriculum, and I also helped launch that initiative alongside Sylvia Acevedo. I’ve had the privilege of overseeing some of the Girl Scouts and even teaching curriculum that we developed outside of the country.”
Sethi says it’s her hope that some of those girls will eventually be applying for careers in cybersecurity, which brings the conversation back around to women in cybersecurity.
“We recently hired two women into the cybersecurity team at Twitter,” she said. “It makes me proud to see more women enter the field, because there’s still not as many of us as should be there.”
It’s possible that her own daughter could be one of those women. Sethi says she has proof that she has at least entertained the idea.
“At one point, somewhere around second or third grade, my daughter had to write about what she wanted to be when she grew up. She said a cybersecurity engineer. I took a picture of what she wrote. I was really proud of that moment, but kids change what they want to do every day. More recently it’s been wanting to be a doctor, so we’ll see.”
Sethi also has a lot to say on the subject of mentoring. She works with Everwise, which connects employees to the people and insights they need to be more productive and successful at every stage of their career.
“I’ve had a chance to mentor many amazing women through that program,” she said. “They partner you based on skills that you feel you have that are strong and where others want to learn.”
Although being mentored is a great way to become involved in cybersecurity, it’s not the only way.
“There are a lot of books and resources out there now too,” she said. “I think a lot of times people think, ‘I’m going to go find a CISO to talk to.’ That’s not necessarily the best mentor. One of my peers was my mentor early in my career. A lot of times people think it’s going to be someone ‘up there’ that’s going to help me, but a lot of times it’s people right around you that you might not consider mentors that are already mentoring you. Also, I’ve reached out to people in different areas of expertise and said, ‘I’d love to pick your brain in this area.’ It’s a great resource too.”
Then there are the traditional routes to cybersecurity training. When Sethi was at PG&E, she took classes and read many books on cybersecurity. She also pursued several certifications.
“I realized that I wanted more education,” she said. “I wanted to learn about the field, because I felt very pigeonholed when I was at PG&E for the work I was doing. I didn’t want to leave cybersecurity without understanding what it was all about. I decided to pursue my master’s degree at Capella University, which was a virtual university based out of Minneapolis. I did that for two years while I was working.”
Sethi also thinks it’s important that women, and men, realize how broad the field of cybersecurity is.
“There are so many interesting areas,” she said. “I feel like there’s a job for any expertise in it. So many roles need to be filled and there are just not enough people. You’re never going to be out of a job in this field. Learn as much as you can. Pursue different areas of cybersecurity. Try to get involved in projects that specialize in different areas so that you can learn the different options and find your passion.”
Rinki Sethi is featured in “Women Know Cyber: 100 Fascinating Females Fighting Cybercrime.” Pick up a copy to learn about more women fighting cybercrime.
– Di Freeze is Managing Editor at Cybersecurity Ventures.